Can a U.N. Report Help Rein in Expansive and Abusive Digital Surveillance?

Earlier this year, Reuters broke a stunning story. It disclosed that intelligence services from the United Arab Emirates had hired ex-U.S. operatives from the National Security Agency to hack into the iPhones of Emirati citizens in order to access their personal phone numbers, emails, passwords and even follow their location. The operation, code-named “Project Raven,” was supposed to track Islamic State cells. But Reuters uncovered a much more sinister pattern of surveillance. Under the guise of national security, Raven contractors broke into the personal communications of scores of human rights activists, civil society leaders and investigative journalists, both in the United Arab Emirates and in the United States, including American citizens.

One of the targets was Emirati activist Ahmed Mansoor, a public critic of the UAE’s human rights record; in 2015, he won the Martin Ennals Award for Human Rights Defenders, considered by some the Nobel Prize for human rights. Using an advanced surveillance tool named “Karma,” Raven operatives downloaded troves of material from Mansoor’s personal computer—email screenshots, private phone numbers, personal photos. The Emirati government then used this material to convict Mansoor in a secret 2017 trial, nominally for “damaging the country’s unity” after taking photos of a prisoner he visited in an Emirati jail, and sentenced him to 10 years in solitary confinement.

What makes Karma so insidious is that it does not require users to click on a link in order to activate malware that will compromise an individual’s computer or phone. Instead, Karma remotely provides access to iPhones “simply by uploading phone numbers or email accounts into an automated targeting system,” as Reuters reported. Where did Karma originate from? And how did former NSA operatives become involved in assisting Emirati subterfuge against legitimate government critics?

The answer relates to a small Maryland company named CyberPoint. Founded in 2009 by tech entrepreneur Karl Gumtow, CyberPoint had built a reputation as a respectable cybersecurity firm with contracts across the U.S. government. In 2014, it signed a deal with the National Electronic Security Authority, the UAE’s version of the NSA, to provide advanced surveillance services. This is how Project Raven got its start. While the contract would later shift to a local Emirati company, DarkMatter, the initial recruitment of U.S. technical experts, the provision of cutting-edge surveillance technology, and the exploitation of this technology to imprison human rights activists all stem from CyberPoint’s contract.

Such accounts are increasingly the norm. The private surveillance industry has skyrocketed in the past decade, with companies like CyberPoint marketing and selling sophisticated technologies—from spyware programs and facial recognition to tools that can hack mobile phones and intercept digital networks—to government agencies and intelligence services worldwide. Autocratic leaders and authoritarian regimes are major clients, but the bulk of this advanced surveillance equipment is provided by companies located in advanced democracies, such as the United States (Bluecoat, Palantir), Israel (NSO Group, NICE Systems), Italy (Hacking Team), and the United Kingdom (L3 Technologies). A 2016 report by London-based Privacy International documented 528 companies peddling advanced surveillance technologiesaround the world—nearly 90 percent of them based in OECD member states.

On May 28, David Kaye, the United Nations’ special rapporteur on freedom of opinion and expression, released a scathing report blasting the private surveillance industry. He described “a cloak of secrecy,” where companies like CyberPoint provide powerful tools that allow states to “conduct unlawful surveillance without fear of legal consequence” against journalists, human rights activists, civil society organizations and regime critics. Kaye called for “an immediate moratorium on the global sale and transfer of the tools of the private surveillance industry until rigorous human rights safeguards are put in place to regulate such practices.”

Kaye’s report acknowledges that there are legitimate reasons why governments rely on surveillance technology. Monitoring tools can play a crucial role in combating terrorism. They can help local police forces deter crime and solve complicated cases. They offer states the ability to track dangerous threats and respond accordingly. But international law imposes limits based on the “necessity and proportionality” standard—restricting surveillance to situations that are “strictly and demonstrably necessary to achieve a legitimate aim.” Unfortunately, governments routinely shirk these obligations, particularly in countries with a record of oppression and rampant human rights violations.

Until governments decide to enforce real penalties against companies whose products violate human rights, it is hard to imagine they will change their behavior.

Kaye’s proposal for a moratorium is bold. His report deftly outlines the limitations of the legal framework governing states’ use of surveillance. And he picks apart the paper-thin explanations by private companies to justify the sales of such tools, exposing the obfuscations and crooked practices of the private surveillance industry. But as he admits, there are no easy answers when it comes to reining in the spread of digital surveillance, interception and hacking.

Policymakers rely on a basket of approaches to restrict the proliferation of threatening technologies. They include export controls, enhanced public oversight, corporate responsibility and legal redress.

When it comes to export controls, the dominant framework is the Wassenaar Arrangement, comprising 42 advanced economies that coordinate export controls of conventional arms and dual-use technology. In 2013, the group added surveillance intrusion software to its list of technologies that require additional controls. However, Wassenaar is nonbinding and lacks an enforcement mechanism. It has been wholly ineffective in constraining unlawful surveillance. “It is insufficient to say that a comprehensive system for control and use of targeted surveillance technologies is broken,” Kaye observes in his report. “It hardly exists.”

On the accountability front, Kaye proposes creating “co-regulatory initiatives,” which would establish international obligations for private surveillance companies and contracting states. These initiatives range from voluntary codes of conduct to more formal legal frameworks, such as the 2008 Montreux Document, which applies to the use of private military and security contractors. He also advocates for more consequential public oversight and providing legal redress for victims of illegal surveillance.

These are smart ideas. But the likelihood of implementation is low barring an intensified public outcry and greater political pressure. The overriding problem is that surveillance companies lack an incentive to clean up their act. Until governments decide to enforce real penalties against companies whose products violate human rights, it is hard to imagine they will change their behavior. And because there has been minimal public concern or awareness about the dangers of advanced surveillance beyond scattered advocacy campaigns like the one calling for Mansoor’s release in the UAE, liberal democracies face little pressure to crack down on these technologies.

The picture isn’t completely bleak. There is a nascent movement, for example, to require companies to perform mandatory human rights due diligence for potential uses of their products. France, the Netherlands and the European Union as a whole have already passed such legislation. Whether these laws will have teeth and actually change corporate behavior is an open question, though.

Perhaps the U.N. report’s greatest contribution for now is to force a much-needed public debate about the growing use of surveillance technologies—and to foster outrage about the abuses stemming from their misuse. In time, an upsurge of public disproval may compel new policies that will hold a shadowy, unregulated and reckless industry accountable for its intrusions of privacy and violations of human rights.

Steven Feldstein is the Frank and Bethine Church Chair of Public Affairs at Boise State University. He is also a nonresident fellow at the Carnegie Endowment for International Peace’s Democracy and Rule of Law Program. From 2014 to 2017, he served as U.S. Deputy Assistant Secretary of State for Democracy, Human Rights and Labor. Follow him on Twitter @SteveJFeldstein.